moonshotcollective / pay.party

pay-party.vercel.app
MIT License
9 stars 18 forks source link

http does not redirect to https #110

Open garmeeh opened 2 years ago

garmeeh commented 2 years ago

Describe the bug Hey, I just came across your site earlier. I clicked a link from twitter where someone tweeted and mentioned pay.party this resulted in me landing on http://pay.party and getting the Not Secure warning.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'http://pay.party'
  2. Notice it does not redirect to secure site

Expected behavior It redirects to secure site

wkarshat commented 2 years ago

An issue with the site, not the app. Tip.Party appears to handle http redirect correctly, but where's its site repo?

hmrtn commented 2 years ago

https://pay.party and https://app.pay.party / https://dev.pay.party does have the correct certificates. This is an issue with the landing page redirects. Looking into it.

nyedidikeke commented 2 years ago

An issue with the site, not the app. Tip.Party appears to handle http redirect correctly, but where's its site repo?

https://pay.party and https://app.pay.party / https://dev.pay.party does have the correct certificates. This is an issue with the landing page redirects. Looking into it.

@wkarshat @hmux The challenge is not with "the site" nor "the app". Neither it is about correctness of TLS certificates; it is about unencrypted data in transit, thereby making users more susceptible to attacks. I wouldn’t have the site available over HTTP and HTTPS, and redirect HTTP to HTTPS - it would work; Yes, but strongly discouraged.

An attacker resolved to launch a MITM attack on users could persuade them to visit your site over plain HTTP. The attacker may fake your site and acquire sensitive data from your users, or proxy to the legitimate HTTPS version of your site and snoop all data, if traffic could be diverted (e.g. DNS poisoning).

Why not serve just one version of the site (HTTPS only), simply redirect incoming HTTP traffic to HTTPS, then enable HSTS to aid in the prevention of the scenario above?